office message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [office] ODF 1.2 PAS Submission comment JP5 - OFFICE-3869: proposal for discussion
- From: Oliver-Rainer Wittmann <ORWITT@de.ibm.com>
- To: "ODF TC List" <office@lists.oasis-open.org>
- Date: Wed, 14 Jan 2015 10:47:33 +0100
Hi,
thanks for the feedback.
I agree to Dennis' and Chris' suggested
improvements.
And yes from my understanding "covered
by the digital signature" has the meaning "referenced by <ds:Reference>
elements"
Thus, I am also fine to adapt the wording
here.
The refined proposal is:
<proposal>
We agree that the current wording might
cause an uncertainty regarding the relationship between encryption and
digital signatures.
We suggest to replace the last two paragraphs
of section 5.2 in Part 3 by:
"If a digital signature file is
not encrypted, each encrypted file referenced by <ds:Reference> elements
shall be signed in its encrypted form."
and
"If a digital signature file is
encrypted, then the files referenced by <ds:Reference> elements shall
be signed in their decrypted forms."
We also suggest to introduce a new section
3.9 "Interactions Between Encryption and Digital Signatures"
with the following content:
"An OpenDocument Package Producer
that both encrypts files in the package and applies digital signatures
to files in the package should either first encrypt (per section 3.4) and
then apply the digital signatures (per section 5) or first apply the digital
signatures and then encrypt.
If the encryption of the files is done
first, the digital signatures files shall not be encrypted.
If the files in the package are encrypted
after applying the digital signatures, the digital signature files shall
be encrypted.
See also section 5.2.
It is current practice to first encrypt
and then apply the digital signatures."
</proposal>
I have enter this text as proposal to
OFFICE-3869.
Mit freundlichen Grüßen / Best regards
Oliver-Rainer Wittmann
--
Advisory Software Engineer
-------------------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland
Beim Strohhause 17
20097 Hamburg
Phone: +49-40-6389-1415
E-Mail: orwitt@de.ibm.com
-------------------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH / Vorsitzende
des Aufsichtsrats: Martina Koederitz
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart,
HRB 243294
From:
Chris Rae <Chris.Rae@microsoft.com>
To:
Oliver-Rainer Wittmann/Germany/IBM@IBMDE,
OASIS OpenDocument TC List <office@lists.oasis-open.org>
Date:
13.01.2015 21:25
Subject:
RE: [office]
ODF 1.2 PAS Submission comment JP5 - OFFICE-3869: proposal for discussion
Sent by:
<office@lists.oasis-open.org>
In the two "If a digital signature". sentences,
we should probably use the more normative "shall" terminology,
so:
"If a digital signature file is not encrypted, each encrypted file
covered by the digital signatures shall be signed in its encrypted form."
and
"If a digital signature file is encrypted, then the files covered
by the digital signatures shall be signed in their decrypted forms."
Also, I am not sure I like the "covered by the digital signature"
wording. Does this mean "referenced by <ds:Reference> elements"
as was in the original wording?
Chris
From: office@lists.oasis-open.org [mailto:office@lists.oasis-open.org]
On Behalf Of Oliver-Rainer Wittmann
Sent: 06 January 2015 04:50
To: OASIS OpenDocument TC List
Subject: Re: [office] ODF 1.2 PAS Submission comment JP5 - OFFICE-3869:
proposal for discussion
Hi,
next try ;-)
considering Regina's feedback, our discussion in our last TC call and Dennis'
feedback given on the comment list I would like to refine my proposed response
to JP5:
<proposal>
We agree that the current wording might cause an uncertainty regarding
the relationship between encryption and digital signatures.
We suggest to replace the last two paragraphs of section 5.2 in Part 3
by:
"If a digital signature file is not encrypted, each encrypted file
covered by the digital signatures is signed in its encrypted form."
and
"If a digital signature file is encrypted, then the files covered
by the digital signatures are signed in their decrypted forms."
We also suggest to introduce a new section 3.9 "Interactions Between
Encryption and Digital Signatures" with the following content:
"An OpenDocument Package Producer that both encrypts files in the
package and applies digital signatures to files in the package should either
first encrypt (per section 3.4) and then apply the digital signatures (per
section 5) or first apply the digital signatures and then encrypt.
If the encryption of the files is done first, the digital signatures files
shall not be encrypted.
If the files in the package are encrypted after applying the digital signatures,
the digital signature files shall be encrypted.
See also section 5.2.
It is good pratice is to first encrypt and then apply the digital signatures."
</proposal>
My refinement based on the following observations:
- Dennis replied that we can drop "as identified in META-INF/manifest.xml"
- There can be more than one digital signature file - see section 3.5 in
part 3 of ODF 1.2
- There can be more than one digital signature in a digital signature file
- see section 5.2 in part 3 of ODF 1.2
- The reference how a digital signature file is encrypted is obsolete.
- The note from Dennis regarding the manifest can be dropped. Section 3.4.1
in part 3 of ODF 1.2 contains this information already from my point of
view.
Mit freundlichen Grüßen / Best regards
Oliver-Rainer Wittmann
--
Advisory Software Engineer
-------------------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland
Beim Strohhause 17
20097 Hamburg
Phone: +49-40-6389-1415
E-Mail: orwitt@de.ibm.com
-------------------------------------------------------------------------------------------------------------------------------------------
IBM Deutschland Research & Development GmbH / Vorsitzende
des Aufsichtsrats: Martina Koederitz
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart,
HRB 243294
From: Regina Henschel <regina.henschel@libreoffice.org>
To: office@lists.oasis-open.org
Date: 01.01.2015 19:38
Subject: Re: [office] ODF 1.2 PAS Submission
comment JP5 - OFFICE-3869: proposal for discussion
Sent by: <office@lists.oasis-open.org>
________________________________________
Hi Oliver,
Oliver-Rainer Wittmann schrieb:
> Hi,
>
> I am not an expert in the area of ODF encryption and digital signatures,
> but I would like to propose to combine would Dennis, Rob and Michael
had
> been discussed.
I'm no expert too and have only mediocre knowledge of English, but
nevertheless some comments:
>
> My proposal for our response to JP5 is:
> <proposal>
> We agree that the current wording might cause an uncertainty regarding
> the relationship between encryption and digital signatures.
> We suggest to replace the last two paragraphs of section 5.2 in Part
3 by:
> "If a digital signature file is not encrypted, any encrypted
files
> covered by the digital signature are signed in their encrypted form
as
> identified in META-INF/manifest.xml."
The part "as identified in META_INF/manifest.xml" is not clear
to me.
What thing is "identified"? What means "as identified"?
"each" instead of "any"?
I'm not sure about singular/plural in "digital signature file"
(here and
in your next paragraph). There is in part 3.5 "Digital signatures
are
stored in one or more files..." and in part 5.2 "The
<dsig:document-signatures> root element serves as a container for
any
number of <ds:Signature> 5.3 elements" and the heading 5 "Digital
Signatures File".
> and
> "If a digital signature file is encrypted using the encryption
means
> specified for ODF 1.2 Packages, then the digital signature applies
to
> the decrypted forms of all encrypted files in the package exactly
as if
> they had not been encrypted. (Note that in this case, the manifest,
> which is never encrypted, is different when there are encrypted files
> than when there are not. In particular, the manifest must include
the
> parameters that must be known to decrypt the encrypted digital signature
> files.)"
"digital signature applies to the decrypted forms of all encrypted
files
in the package"
This sound to me as if all encrypted files need to be digital signed?
Do not use "must". It is a normative key-word in OASIS, but not
in ISO.
Suggestion (similar to wording as in part 3.2):
"In particular, the manifest shall provide information required to
decrypt the file correctly when the encryption key is also supplied."
> We also suggest to introduce a new section 3.9 "Interactions
Between
> Encryption and Digital Signatures" with the following content:
> "An OpenDocument Package Producer that both encrypts and applies
digital
> signatures to a document is advised to either first encrypt (per section
> 3.4) and then apply the digital signatures (per section 5) or to first
> apply the digital signatures and then encrypt.
Is "document" meant in the normative sense of part 3.1 "Unless
otherwise
stated, the term document refers to the document contained in the root
of the package."?
> If the encryption is done first, the digital signature file is not
> encrypted. If the document is encrypted after applying the digital
> signatures, the digital signature file is encrypted - see also section
5.2.
> The perference is to first encrypt and then apply the digital signatures."
> </proposal>
Typo: perference --> preference
I'm not sure about "digital signature file is not encrypted"
and
"digital signature file is encrypted". Is this normative? If
yes,
shouldn't it be "shall not be encrypted" and "shall be encrypted"?
The proposal has the parts "is advised" and "preference".
Is that
possible in a norm?
>
> Please give feedback to this proposal.
Kind regards
Regina
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]